X-Git-Url: https://granicus.if.org/sourcecode?a=blobdiff_plain;f=src%2Fbackend%2Flibpq%2Fauth.c;h=f0561a5b969a4d0d0c01d4ee3d480870de2a2133;hb=1b4e729eaa97b6169e08abc70e84709cea2cd00a;hp=437061c21a23bb385d470d471ff745f9d3ab7b22;hpb=32c469d7b13e430105ee018b493587c4f6c0150a;p=postgresql diff --git a/src/backend/libpq/auth.c b/src/backend/libpq/auth.c index 437061c21a..f0561a5b96 100644 --- a/src/backend/libpq/auth.c +++ b/src/backend/libpq/auth.c @@ -8,7 +8,7 @@ * * * IDENTIFICATION - * $PostgreSQL: pgsql/src/backend/libpq/auth.c,v 1.176 2009/01/07 12:38:11 mha Exp $ + * $PostgreSQL: pgsql/src/backend/libpq/auth.c,v 1.178 2009/01/09 10:13:18 mha Exp $ * *------------------------------------------------------------------------- */ @@ -129,8 +129,6 @@ static int CheckCertAuth(Port *port); char *pg_krb_server_keyfile; char *pg_krb_srvnam; bool pg_krb_caseins_users; -char *pg_krb_server_hostname = NULL; -char *pg_krb_realm = NULL; /*---------------------------------------------------------------- @@ -645,10 +643,7 @@ pg_krb5_init(Port *port) * If no hostname was specified, pg_krb_server_hostname is already NULL. * If it's set to blank, force it to NULL. */ - if (port->hba->krb_server_hostname) - khostname = port->hba->krb_server_hostname; - else - khostname = pg_krb_server_hostname; + khostname = port->hba->krb_server_hostname; if (khostname && khostname[0] == '\0') khostname = NULL; @@ -694,7 +689,6 @@ pg_krb5_recvauth(Port *port) krb5_ticket *ticket; char *kusername; char *cp; - char *realmmatch; if (get_role_line(port->user_name) == NULL) return STATUS_ERROR; @@ -740,30 +734,31 @@ pg_krb5_recvauth(Port *port) return STATUS_ERROR; } - if (port->hba->krb_realm) - realmmatch = port->hba->krb_realm; - else - realmmatch = pg_krb_realm; - cp = strchr(kusername, '@'); if (cp) { - *cp = '\0'; + /* + * If we are not going to include the realm in the username that is passed + * to the ident map, destructively modify it here to remove the realm. Then + * advance past the separator to check the realm. + */ + if (!port->hba->include_realm) + *cp = '\0'; cp++; - if (realmmatch != NULL && strlen(realmmatch)) + if (port->hba->krb_realm != NULL && strlen(port->hba->krb_realm)) { /* Match realm against configured */ if (pg_krb_caseins_users) - ret = pg_strcasecmp(realmmatch, cp); + ret = pg_strcasecmp(port->hba->krb_realm, cp); else - ret = strcmp(realmmatch, cp); + ret = strcmp(port->hba->krb_realm, cp); if (ret) { elog(DEBUG2, "krb5 realm (%s) and configured realm (%s) don't match", - cp, realmmatch); + cp, port->hba->krb_realm); krb5_free_ticket(pg_krb5_context, ticket); krb5_auth_con_free(pg_krb5_context, auth_context); @@ -771,7 +766,7 @@ pg_krb5_recvauth(Port *port) } } } - else if (realmmatch && strlen(realmmatch)) + else if (port->hba->krb_realm&& strlen(port->hba->krb_realm)) { elog(DEBUG2, "krb5 did not return realm but realm matching was requested"); @@ -868,7 +863,6 @@ pg_GSS_recvauth(Port *port) int ret; StringInfoData buf; gss_buffer_desc gbuf; - char *realmmatch; /* * GSS auth is not supported for protocol versions before 3, because it @@ -1028,11 +1022,6 @@ pg_GSS_recvauth(Port *port) gettext_noop("retrieving GSS user name failed"), maj_stat, min_stat); - if (port->hba->krb_realm) - realmmatch = port->hba->krb_realm; - else - realmmatch = pg_krb_realm; - /* * Split the username at the realm separator */ @@ -1040,31 +1029,37 @@ pg_GSS_recvauth(Port *port) { char *cp = strchr(gbuf.value, '@'); - *cp = '\0'; + /* + * If we are not going to include the realm in the username that is passed + * to the ident map, destructively modify it here to remove the realm. Then + * advance past the separator to check the realm. + */ + if (!port->hba->include_realm) + *cp = '\0'; cp++; - if (realmmatch != NULL && strlen(realmmatch)) + if (port->hba->krb_realm != NULL && strlen(port->hba->krb_realm)) { /* * Match the realm part of the name first */ if (pg_krb_caseins_users) - ret = pg_strcasecmp(realmmatch, cp); + ret = pg_strcasecmp(port->hba->krb_realm, cp); else - ret = strcmp(realmmatch, cp); + ret = strcmp(port->hba->krb_realm, cp); if (ret) { /* GSS realm does not match */ elog(DEBUG2, "GSSAPI realm (%s) and configured realm (%s) don't match", - cp, realmmatch); + cp, port->hba->krb_realm); gss_release_buffer(&lmin_s, &gbuf); return STATUS_ERROR; } } } - else if (realmmatch && strlen(realmmatch)) + else if (port->hba->krb_realm && strlen(port->hba->krb_realm)) { elog(DEBUG2, "GSSAPI did not return realm but realm matching was requested"); @@ -1128,7 +1123,6 @@ pg_SSPI_recvauth(Port *port) SID_NAME_USE accountnameuse; HMODULE secur32; QUERY_SECURITY_CONTEXT_TOKEN_FN _QuerySecurityContextToken; - char *realmmatch; /* * SSPI auth is not supported for protocol versions before 3, because it @@ -1341,18 +1335,13 @@ pg_SSPI_recvauth(Port *port) * Compare realm/domain if requested. In SSPI, always compare case * insensitive. */ - if (port->hba->krb_realm) - realmmatch = port->hba->krb_realm; - else - realmmatch = pg_krb_realm; - - if (realmmatch && strlen(realmmatch)) + if (port->hba->krb_realm && strlen(port->hba->krb_realm)) { - if (pg_strcasecmp(realmmatch, domainname)) + if (pg_strcasecmp(port->hba->krb_realm, domainname)) { elog(DEBUG2, "SSPI domain (%s) and configured domain (%s) don't match", - domainname, realmmatch); + domainname, port->hba->krb_realm); return STATUS_ERROR; } @@ -1361,8 +1350,22 @@ pg_SSPI_recvauth(Port *port) /* * We have the username (without domain/realm) in accountname, compare to * the supplied value. In SSPI, always compare case insensitive. + * + * If set to include realm, append it in @ format. */ - return check_usermap(port->hba->usermap, port->user_name, accountname, true); + if (port->hba->include_realm) + { + char *namebuf; + int retval; + + namebuf = palloc(strlen(accountname) + strlen(domainname) + 2); + sprintf(namebuf, "%s@%s", accountname, domainname); + retval = check_usermap(port->hba->usermap, port->user_name, namebuf, true); + pfree(namebuf); + return retval; + } + else + return check_usermap(port->hba->usermap, port->user_name, accountname, true); } #endif /* ENABLE_SSPI */